[c-nsp] Routing within a L2TP session using VPDNs

Alex Foster afoster at gammatelecom.com
Fri Feb 10 17:57:02 EST 2006


Hello Kristo,

Your understanding is correct - only wish I could have explained it that
way in the first place.  I guess my options are limited here...Radius it
is !!  Thanks for yours and Oli's help here - much appreciated.  

Regards

Alex

-----Original Message-----
From: Kristofer Sigurdsson [mailto:kristosig at gmail.com] 
Sent: 10 February 2006 21:56
To: Alex Foster
Cc: Oliver Boehmer (oboehmer); cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Routing within a L2TP session using VPDNs

Hello Alex,

Okay, so, if I understand you correctly, the 1221 is an ADSL router
which has an ADSL connection
completely independant from your LAC/LNS setup, through another
provider.  What you would like
to establish is a tunnel to the router from your network, across this
other provider's infrastructure.

As you and Oli have pointed out, static configuration does not scale
for thousands of customers, so
you'll have to do it dynamically.  You don't want to run routing
protocols against the 1221 box, which is understandable, as that's CPE
- running IGP's against customers is a bad thing and I'm assuming
these are non-BGP speaking residential or SOHO customers.

I really can't think of any other way to accomplish your needs for
dynamic routes from your LNS to your customers than using the RADIUS
solution both me and Oli suggested.

What you need to do is to at least let a RADIUS server handle
authorization (possibly authentication aswell) for your customer's
L2TP connections.  Apart from making things easier for you by adding
the possibility of RADIUS assigned peer IP addresses (no peer default
ip address under interface config of the virtual-template), a RADIUS
can send the aforementioned Framed-Route attribute, which populates
the LNS's routing table with a per-user static route, which is in the
routing table as long as the tunnel is active.

2006/2/10, Alex Foster <afoster at gammatelecom.com>:
>
> Hi Oli/Kristo
>
> I guess my original description of the issue kinda confused things -
the
> 1221 is an ADSL router capable of L2 tunnelling - so it functions as a
> LAC in respect to the whole LAC-LNS scheme of things.  When I was
> talking about a route to the LAC - I actually meant a route to the
peer
> IP address of the PPP session, but as you correctly pointed out repeat
> this hundreds of times and it gets ugly - hence my original issue.
> Perhaps if I explain the network setup again - it may clear the waters
a
> bit.
>
> The 1221 will connect to an ADSL providers network - that PPP session
> will be authenticated and allocated a Public address using Radius -
> standard stuff.  On demand, the 1221 will then setup a L2 tunnel to
the
> 7200 (LNS) - this is where it gets a little hazy for me.  Since Im not
> authenticating this PPP session or L2 tunnel - how can I use radius -
or
> is it a case of I have to, otherwise this solution wont scale.  I am
by
> no means a Radius expert - and don't fully understand how the
> framed-route attribute can populate a routers routing table (if that's
> what it does - excuse my ignorance !!!), so if you can educate me here
I
> would be grateful.
>
> Kind Regards
>
> Alex
>
>
>
>
>
>
>
> -----Original Message-----
> From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
> Sent: 10 February 2006 17:47
> To: Alex Foster; Kristofer Sigurdsson
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Routing within a L2TP session using VPDNs
>
> Alex,
>
> since you authenticate the users through Radius (you are running chap
or
> pap on the PPP sessions, right?), just give them a static route via
the
> Framed-Route attribute in their user's profile and redistribute this
> route into your routing protocol of choice.
> Since all sessions arriving at the LNS are terminated on
virtual-access
> interfaces, you cannot use static routes on the router (unless you
point
> them at their peer ip address so they will get resolved once they're
> dialed in, but this is ugly and not really recommended).
>
> A route to the LAC doesn't do anything, the LAC is not involved in any
> way in the user's L3 connection (it just forwards the PPP sessions to
> the LNS).
>
>         oli
>
> Alex Foster <> wrote on Friday, February 10, 2006 6:35 PM:
>
> > Hi Kristo
> >
> > Thanks for this - Im not planning on using radius to authenticate
the
> > tunnel setup.  In our situation the client network will already have
> > an
> > address (the LAC is a Telindus 1221 ADSL box that is shipped out to
> > the
> > customer - pre-configured).  The client network sits on the back of
> > the
> > same box.  The ADSL part of the connection is authenticated through
> > Radius but not the L2 tunnel.  Once the l2 tunnel is established - I
> > need to be able to route the client network from the LNS - at the
> > moment
> > the only way I've been able to do this is by configuring static
routes
> > that point to the tunnel IP address on the LAC.
> >
> > When using a VPN Concentrator you can specify the remote networks in
a
> > network-list that acts as a route statement (for LAN-to-LAN
sessions),
> > Im wondering if there is a similar command in IOS - or rather hoping
> > there is.
> >
> > Regards
> >
> > Alex
> >
> >
> > =-----Original Message-----
> > From: Kristofer Sigurdsson [mailto:kristosig at gmail.com]
> > Sent: 10 February 2006 12:27
> > To: Alex Foster
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Routing within a L2TP session using VPDNs
> >
> > We are doing a very similar thing, but we don't have to route to a
LAC
> > address on the LNS,
> > our routes are to the client address (assigned by the LNS, from a
> > RADIUS server).
> >
> > We do the routes dynamically via the use of the Framed-Route RADIUS
> > attribute.
> >
> > -Kristo
> >
> > 2006/2/10, Alex Foster <afoster at gammatelecom.com>:
> >> I am trying to set up a number of L2TP sessions to a 3620 using
> >> VPDNs. The LAC is non cisco product - but works well and I have the
> >> tunnels established and working.  What Im not sure about is how to
> >> route to the client network on the back of the LAC.  Diagram:
> >>
> >> Client Network------LAC--------LNS-------ISP
> >>
> >> Its a basic config on the 3620 using the default VPDN group and a
> >> virtual-template.
> >>
> >> At the moment the only way I can route to the client network (from
> >> the ISP network) is to configure a static route on the LNS (to the
> >> client network) via the tunnel address on the LAC (this address is
> >> assigned by the LAC).  I need to scale this network beyond a few
> >> thousand users (3620 is only a test box at the moment) so adding
> >> static routes to each client network isnt ideal - Im also not keen
> >> on using routing protocols.  Any help would be appreciated.
> >>
> >> ...
> >>
> >> vpdn-enable
> >> !
> >> vpdn-group Access
> >> ! Default L2TP VPDN group
> >>  accept-dialin
> >>   protocol l2tp
> >>   virtual-template 1
> >>  no l2tp tunnel authentication
> >>  source-ip 192.168.10.1
> >> !
> >> !
> >> interface loopback 0
> >>  ip address 192.168.254.254 255.255.255.255
> >> !
> >> interface FastEthernet1/0
> >>  ip address 192.168.10.1 255.255.255.252
> >> !
> >> interface FastEthernet1/1
> >>  ip address 10.50.32.180 255.255.255.0
> >> !
> >> interface Virtual-Template1
> >>  ip unnumbered Loopback0
> >> !
> >> ip route 0.0.0.0 0.0.0.0 192.168.10.2
> >>
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> >
> > This message has been scanned for viruses by MailController -
> > www.MailController.altohiway.com
> >
> >
> > The information in this e-mail and any attachments is confidential
> > and may be subject to legal professional privilege. It is intended
> > solely for the attention and use of the named addressee(s). If you
> > are not the intended recipient, or person responsible for delivering
> > this information to the intended recipient, please notify the sender
> > immediately. Unless you are the intended recipient or his/her
> > representative you are prohibited from, and therefore must not,
read,
> > copy, distribute, use or retain this message or any part of it. The
> > views expressed in this e-mail may not represent those of Gamma
> > Telecom.
> >
> > This message has been scanned for viruses by MailController
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list